{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T15:38:39Z","timestamp":1773329919468,"version":"3.50.1"},"reference-count":71,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100003382","name":"Japan Science and Technology Agency (JST), Core Research for Evolutional Science and Technology (CREST), Japan","doi-asserted-by":"publisher","award":["JPMJCR20D3"],"award-info":[{"award-number":["JPMJCR20D3"]}],"id":[{"id":"10.13039\/501100003382","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2021]]},"DOI":"10.1109\/tifs.2021.3062977","type":"journal-article","created":{"date-parts":[[2021,3,1]],"date-time":"2021-03-01T21:31:54Z","timestamp":1614634314000},"page":"2709-2723","source":"Crossref","is-referenced-by-count":55,"title":["Block-Wise Image Transformation With Secret Key for Adversarially Robust Defense"],"prefix":"10.1109","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0036-6577","authenticated-orcid":false,"given":"Maungmaung","family":"Aprilpyone","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8061-3090","authenticated-orcid":false,"given":"Hitoshi","family":"Kiya","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref71","first-page":"1831","article-title":"Defense against adversarial attacks using feature scattering-based adversarial training","author":"zhang","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref70","article-title":"AdverTorch v0.1: An adversarial robustness toolbox based on PyTorch","author":"ding","year":"2019","journal-title":"arXiv 1902 07623"},{"key":"ref39","first-page":"3866","article-title":"NATTACK: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks","volume":"97","author":"li","year":"2019","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref38","first-page":"10934","article-title":"Improving black-box adversarial attacks with a transfer-based prior","author":"cheng","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00444"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00957"},{"key":"ref31","first-page":"10","article-title":"EAD: Elastic-net attacks to deep neural networks via adversarial examples","author":"chen","year":"2018","journal-title":"Proc 32nd AAAI Conf Artif Intell"},{"key":"ref30","first-page":"6103","article-title":"Poison frogs! targeted clean-label poisoning attacks on neural networks","author":"shafahi","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref37","first-page":"5032","article-title":"Adversarial risk and the dangers of evaluating against weak attacks","volume":"80","author":"uesato","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref36","first-page":"2142","article-title":"Black-box adversarial attacks with limited queries and information","volume":"80","author":"ilyas","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00284"},{"key":"ref60","first-page":"1","article-title":"Bridging machine learning and cryptography in defence against adversarial attacks","author":"taran","year":"2018","journal-title":"Proc Eur Conf Comput Vis (ECCV)"},{"key":"ref62","article-title":"Fashion-MNIST: A novel image dataset for benchmarking machine learning algorithms","author":"xiao","year":"2017","journal-title":"ArXiv 1708 07747"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"ref63","article-title":"Learning multiple layers of features from tiny images","author":"krizhevsky","year":"2009"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP40778.2020.9190904"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-015-0816-y"},{"key":"ref27","first-page":"1","article-title":"Why do deep convolutional networks generalize so poorly to small image transformations?","volume":"20","author":"azulay","year":"2019","journal-title":"J Mach Learn Res"},{"key":"ref65","author":"bellare","year":"2010","journal-title":"Addendum to &#x2018;The FFX Mode of Operation for Format-Preserving Encryption&#x2019; A Parameter Collection for Enciphering Strings Arbitrary Radix Length"},{"key":"ref66","article-title":"Ensemble of models trained by key-based transformed images for adversarially robust defense against black-box attacks","author":"aprilpyone","year":"2020","journal-title":"arXiv 2011 07697"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1007\/s10994-010-5188-5"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"ref68","article-title":"Super-convergence: Very fast training of neural networks using large learning rates","author":"smith","year":"2017","journal-title":"arXiv 1708 07120"},{"key":"ref69","article-title":"Mixed precision training","author":"micikevicius","year":"2017","journal-title":"arXiv 1710 03740"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813677"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2881677"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/ICIP.2019.8804201"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1017\/ATSIP.2018.33"},{"key":"ref24","article-title":"Block-wise scrambled image recognition using adaptation network","author":"madono","year":"2020","journal-title":"arXiv 2001 07761"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2959017"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1587\/transinf.2016MUL0002"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/ICCE-China.2018.8448772"},{"key":"ref50","first-page":"1","article-title":"Thermometer encoding: One hot way to resist adversarial examples","author":"buckman","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref51","first-page":"1","article-title":"Countering adversarial images using input transformations","author":"guo","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140444"},{"key":"ref58","article-title":"Detecting adversarial samples from artifacts","author":"feinman","year":"2017","journal-title":"arXiv 1703 00410"},{"key":"ref57","first-page":"1","article-title":"On detecting adversarial perturbations","author":"metzen","year":"2017","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2958358"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00669"},{"key":"ref54","first-page":"1","article-title":"Defense-GAN: Protecting classifiers against adversarial attacks using generative models","author":"samangouei","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref53","first-page":"1","article-title":"PixelDefend: Leveraging generative models to understand and defend against adversarial examples","author":"song","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref52","first-page":"1","article-title":"Mitigating adversarial effects through randomization","author":"xie","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref10","article-title":"Exploring the landscape of spatial robustness","author":"engstrom","year":"2017","journal-title":"arXiv 1712 02779"},{"key":"ref11","article-title":"Motivating the rules of the game for adversarial example research","author":"gilmer","year":"2018","journal-title":"arXiv 1807 06732"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"ref13","first-page":"284","article-title":"Synthesizing robust adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref14","first-page":"1","article-title":"Adversarial examples in the physical world","author":"kurakin","year":"2017","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978392"},{"key":"ref17","article-title":"On evaluating adversarial robustness","author":"carlini","year":"2019","journal-title":"arXiv 1902 06705"},{"key":"ref18","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref19","article-title":"On adaptive attacks to adversarial example defenses","author":"tramer","year":"2020","journal-title":"arXiv 2002 08347"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref3","first-page":"1","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2014","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref6","first-page":"1","article-title":"Adversarial machine learning at scale","author":"kurakin","year":"2017","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref5","first-page":"1","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2015","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref49","first-page":"1","article-title":"Fast is better than free: Revisiting adversarial training","author":"wong","year":"2020","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref9","first-page":"1","article-title":"Towards deep learning models resistant to adversarial attacks","author":"madry","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref46","first-page":"3575","article-title":"Differentiable abstract interpretation for provably robust neural networks","volume":"80","author":"mirman","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref45","article-title":"On the effectiveness of interval bound propagation for training verifiably robust models","author":"gowal","year":"2018","journal-title":"arXiv 1810 12715"},{"key":"ref48","first-page":"3353","article-title":"Adversarial training for free!","author":"shafahi","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref47","first-page":"8400","article-title":"Scaling provable adversarial defenses","author":"wong","year":"2018","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref42","first-page":"550","article-title":"A dual approach to scalable verification of deep networks","author":"dvijotham","year":"2018","journal-title":"Proc UAI"},{"key":"ref41","first-page":"1","article-title":"Certified defenses against adversarial examples","author":"raghunathan","year":"2018","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref44","first-page":"11289","article-title":"Provably robust deep learning via adversarially trained smoothed classifiers","author":"salman","year":"2019","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref43","first-page":"5283","article-title":"Provable defenses against adversarial examples via the convex outer adversarial polytope","author":"wong","year":"2018","journal-title":"Proc Int Conf Mach Learn"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9151439\/09366496.pdf?arnumber=9366496","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T14:52:41Z","timestamp":1652194361000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9366496\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"references-count":71,"URL":"https:\/\/doi.org\/10.1109\/tifs.2021.3062977","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021]]}}}